1. Field of the Invention
The present invention relates to a method for electronic transaction and more in detail to a method for exchanging signatures, by which document data are transmitted to each other between two remote terminals through a communication network and users of the two terminals exchange digital signature data for an agreed document with each other.
2. Description of the Related Art
With the progress of the information oriented society the importance of electronic transaction increases, by which commercial contract documents are exchanged through an information network.
In the electronic transaction the digital signature applying a public-key cryptosystem is considered as useful as techniques for giving authenticate of transmitter, approver, etc. of a message in transmission and reception of a computer message.
Now, in the case where it is necessary to exchange digital signatures of two parties for contracts, etc. between the two parties, which are in an equal or competitive relation, since they are far away from each other through a communication network, it is necessary to prevent unfair practice such that one of them runs away with the signature of the other in a one-sided manner in the course of the exchange of the digital signatures.
For example, the parties of a contract (transactors) are assumed as A and B. In the case where a situation happens that although A has transmitted its digital signature indicating that it has approved formally a certain contract document, B does not send back its digital signature indicating that it has approved formally the contract document stated above, A, which has not the digital signature of B, cannot execute the contract state above. On the contrary, since B has already procured the digital signature of A, B is in an advantageous position, where B can make the contract effective to carry out it at its convenience by attaching the digital signature of B thereto.
In order to remove such an inconvenience, it is necessary to guarantee that when one of the parties sends its formal digital signature, the other sends back the formal digital signature thereof to the former. One of the methods fulfilling this requirement is to install a third organization (mediation organization) on the communication network, which can judge practices of the parties of the contract in an impartial position, which organization makes the two parties submit their digital signatures once thereto and sends the digital signature of A to B as well as the digital signature of B to A after having confirmed that the two signatures are proper. However, by this signature exchange method, by which a mediation organization intervenes in each of transactions, the load of the mediation organization is excessively heavy and therefore this method has a drawback that the time necessary for a transaction increases.
The communication protocol for the signature exchange is described in detail e.g. in (1) Luc Longpre, "The use of public key cryptography for signing checks", Proc. Crypto 82, Aug. 23-25, USA, 1982, pp 191-192 and (2) Takaragi et al., "Authentication Method for Electronic Contracts with IC Card Key Management", The Transaction of the Institute of Electrical Engineers of Japan C, Vol. 107-C, No. 1, Jan. 1987, pp 46-53.
In addition, in relation to the content described above a US patent application (U.S. Ser. No. 180050) has been filed by Takaragi, et al.
At first, the method by Luc Longpre will be explained. Now it is supposed that transacting parties A and B put their signatures on a contract C. At this time, they proceed the following procedure.
Step 1: B sends the digital signature E.sub.PKA (D.sub.SKA (-- Accept, C --)) of B indicating that it has made a temporal or preliminary agreement for the contract C to A.
Step 2: A sends the digital signature E.sub.PKB (D.sub.SKA (-- Sign, C --)) of A indicating that it has made a formal agreement for the contract C to B.
Step 3: B sends the digital signature E.sub.PKA (D.sub.SKB (-- Sign, C --)) of B indicating that it has made a formal agreement for the contract C to A.
Here (-- Accept, C --) indicates data indicating that the contract C is preliminarily accepted; D.sub.S (x) indicates data obtained by coding data x by a public-key cryptosystem using a secret key S; and E.sub.P (x) indicates data obtained by decoding data x by the public-key cryptosystem using a public-key P. Further (-- Sing, C--) represents data indicating that the contract C is formally signed.
The literature described above by Luc Longpre suggests that in the case where some trouble takes place in the course of the signature exchange, e.g. if B doesn't send the formal signature of B to A in Step 3, A can force B into signing formally, showing the preliminary signature of B in a tribunal.
Luc Longpre indicates that an insufficient point of this method is that if A does not send the formal signature of A to B in Step 2, an unfair state takes place, where only B has sent the preliminary signature of B to A, which is a problem.
In order to solve this problem, according to Luc Longpre, it is conceivable to set a delay time, after the expiration of which the preliminary signature is cancelled. However, in this literature no study has been carried out in detail, e.g. on measures, which are to be taken when there are errors in the clock of either A or B. For this reason, Luc Longpre has concluded that this signature exchange method is not so excellent.
Now, the prior art method according to Takaragi will be explained.
Now A and B put their signatures to a communication message M. At this time, they proceed the following procedure.
Step 1: B prepares the temporal or preliminary signature T(B)=E.sub.B (c.sub.1 (M)) of B (in the literature described above, called digital tally) for a communication message M, which is sent to A. (In the literature described above, description is made by using a notation m in lieu of M and W.sub.B ' in lieu of T(B).) Here, c.sub.1 (M) represents the hash total of the communication message M obtained by using a first hash function, followed by data indicating the state of the relevant transaction such as the time, the sequential number, the name of the transaction, etc. However c.sub.1 (M) does not satisfy the proper formality for validating the transaction. Further E.sub.B (X) indicates data obtained by coding data X by the public-key cryptosystem using the secret key of the transacting party B.
Step 2: The transacting party A sends the formal signature S(A)=E.sub.A (c.sub.2 (M) ) of A to the transacting party B. (In the literature described above a notation W.sub.A is used in lieu of S(A).) Here, c.sub.2 (M) represents the hash total of the communication message M obtained by using a second hash function, which is different from the first hash function described above, followed by data indicating the state of the relevant transaction such as the time, the sequential number, the name of the transaction, etc. and satisfies the proper formality for validating the transaction.
Step 3: The transacting party B sends the formal signature S(B)=E.sub.B (c.sub.2 (M)) of B for the communication message to the transacting party A. (In the literature described above a notation W.sub.B is used in lieu of S(B).) Here c.sub.2 (M) is identical to c.sub.2 (M) in Step 2 stated above.
The literature by Takaragi et al discloses the following items as a procedure at a trouble in the signature exchange stated above.
(1) In Step 2, in the case where A does not send the formal signature of A or it sends its false signature after having received the preliminary signature of B, the preliminary signature of B is cancelled by recording it in an cancellation list. However it is not judged which is improper, A or B.
(2) In Step 3, in the case where B does not send the formal signature of B or it sends its false signature after having received the formal signature of A, if the preliminary signature of B, which A submits, is in the cancellation list, it is judged that A is improper and if the preliminary signature of B, which A submits, is in the cancellation list, it is judged that B is improper.
Neither the method proposed by Luc Longpre nor that proposed by Takaragi et.al has any function to protect privacy of the transacting parties against the mediation organization, i.e. to realize to have the mediation at the occurrence of a trouble executed by the mediation organization without leaking the content of the contract document to the mediation organization. For example, by the method proposed by Luc Longpre the mediation organization can read out the content of Accept, i.e. the contract document M (=C) itself from the digital signature D.sub.SKA (-- Accept, C --) submitted to the mediation organization.
On the other hand, by the prior art method proposed by Takaragi et.al, no method is disclosed for confirming items necessary for the mediation without procuring the contract document M, i.e. that
(i) the digital tally E.sub.B (c.sub.1 (M)) and the formal digital signature E.sub.A (c.sub.2 (M)), E.sub.B (c.sub.2 (M)) correspond to each other, and PA1 (ii) these digital signatures relate to the transaction between the transacting parties A and B. PA1 (i) hash total h(M) of the contract document M; PA1 (ii) intention data indicating whether the transacting party itself have had a previous agreement to make the transaction or contract represented by h(M); and PA1 (iii) preliminary digital signature T(B) (or T(A)) and formal digital signature S(B) or S(A) sent by the other party of the transaction.